❌

Normal view

Beyond β€œIs Your SOC AI Ready?” Plan the Journey!

9 January 2026 at 20:36

You read the β€œAI-ready SOC pillars” blog, but you still see a lot ofΒ this:

Bungled AI SOC transition

How do we doΒ better?

Let’s go through all 5 pillars aka readiness dimensions and see what we can actually do to make your SOC AI-ready.

#1 SOC Data Foundations

As I said before, this one is my absolute favorite and is at the center of most β€œAI in SOC” (as you recall, I want AI in my SOC, but I dislike the β€œAI SOC” concept) successes (if done well) and failures (if not done atΒ all).

Reminder: pillar #1 is β€œsecurity context and data are available and can be queried by machines (API, Model Context Protocol (MCP), etc) in a scalable and reliable manner.” Put simply, for the AI to work for you, it needs your data. As our friends say here, β€œContext engineering focuses on what information the AI has available. […] For security operations, this distinction is critical. Get the context wrong, and even the most sophisticated model will arrive at inaccurate conclusions.”

Readiness check: Security context and data are available and can be queried by machines in a scalable and reliable manner. This is very easy to check, yet not easy to achieve for many types ofΒ data.

For example, β€œgive AI access to past incidents” is very easy in theory (β€œah, just give it old tickets”) yet often very hard in reality (β€œwhat tickets?” β€œaren’t some too sensitive?”, β€œwait…this ticket didn’t record what happened afterwards and it totally changed the outcome”, β€œwell, these tickets are in another system”, etc,Β etc)

Steps to getΒ ready:

  • Conduct an β€œAPI or Die” data access audit to inventory critical data sources (telemetry and context) and stress-test their APIs (or other access methods) under load to ensure they can handle frequent queries from an AI agent. This is important enough to be a Part 3 blog after thisΒ one…
  • Establish or refine unified, intentional data pipelines for the data you need. This may be your SIEM, this may be a separate security pipeline tool, this may be magick for all I care … but it needs to exist. I met people who use AI to parse human analyst screen videos to understand how humans access legacy data sources, and this is very cool, but perhaps not what you want inΒ prod.
  • Revamp case management to force structured data entry (e.g., categorized root causes, tagged MITRE ATT&CK techniques) instead of relying on garbled unstructured text descriptions, which provides clean training data for future AI learning. And, yes, if you have to ask: modern gen AI can understand your garbled stream of consciousness ticket description…. but what it makes of it, you will neverΒ know…

Where you arrive: your AI component, AI-powered tool or AI agent can get the data it needs nearly every time. The cases where it cannot become visible, and obvious immediately.

#2 SOC Process Framework andΒ Maturity

Reminder: pillar #2 is β€œCommon SOC workflows do NOT rely on human-to-human communication are essential for AI success.” As somebody called it, you need β€œmachine-intelligible processes.”

Readiness check: SOC workflows are defined as machine-intelligible processes that can be queried programmatically, and explicit, structured handoff criteria are established for all Human-in-the-Loop (HITL) processes, clearly delineating what is handled by the agent versus the person. Examples for handoff to human may include high decision uncertainty, lack of context to make a call (see pillar #1), extra-sensitive systems,Β etc.

Common investigation and response workflows do not rely on ad-hoc, human-to-human communication or β€œtribal knowledge,” such knowledge is discovered and brought toΒ surface.

Steps to getΒ ready:

  • Codify the β€œTribal Knowledge” into APIs: Stop burying your detection logic in dusty PDFs or inside the heads of your senior analysts. You must document workflows in a structured, machine-readable format that an AI can actually query. If your contextβ€Šβ€”β€Šlike CMDB or asset inventoryβ€Šβ€”β€Šisn’t accessible via API (BTW MCP is not magic!), your AI is essentially flyingΒ blind.
  • Draw a Hard Line Between Agent and Human: Don’t let the AI β€œguess” its level of authority. Explicitly delegate the high-volume drudgery (log summarization, initial enrichment, IP correlation) to the agent, while keeping high-stakes β€œkill switches” (like shutting down production servers) firmly in humanΒ hands.
  • Implement a β€œGrading” System for Continuous Learning: AI shouldn’t just execute tasks; it needs to go to school. Establish a feedback loop where humans actively β€œgrade” the AI’s triage logic based on historical resolution data. This transforms the system from a static script into a living β€œrecipe” that refines itself overΒ time.
  • Target Processes for AI-Driven Automation: Stop trying to β€œAI all the things.” Identify specific investigation workflows that are candidates for automation and use your historical alert triage data as a training ground to ensure the agent actually learns what β€œgood” looksΒ like.

Where you arrive: The β€œtribal knowledge” that previously drove your SOC is recorded for machine-readable workflows. Explicit, structured handoff points are established for all Human-in-the-Loop processes, and the system uses human grading to continuously refine its logic and improve its β€˜recipe’ over time. This does not mean that everything is rigid; β€œVisio diagram or death” SOC should stay in the 1990s. Recorded and explicit beats rigid and unchanging.

#3 SOC Human Element andΒ Skills

Reminder: pillar #3 is β€œCultivating a culture of augmentation, redefining analyst roles, providing training for human-AI collaboration, and embracing a leadership mindset that accepts probabilistic outcomes.” You say β€œfluffy management crap”? Well, I say β€œignore this and your SOC isΒ dead.”

Readiness check: Leaders have secured formal CISO sign-off on a quantified β€œAI Error Budget,” defining an acceptable, measured, probabilistic error rate for autonomously closed alerts (that is definitely not zero, BTW). The team is evolving to actively review, grade, and edit AI-generated logic and detection output.

Steps to getΒ ready:

  • Implement the β€œAI Error Budget”: Stop pretending AI will be 100% accurate. You must secure formal CISO sign-off on a quantified β€œAI Error Budgetβ€β€Šβ€”β€Ša predefined threshold for acceptable mistakes. If an agent automates 1,000 hours of labor but has a 5% error rate, the leadership needs to acknowledge that trade-off upfront. It’s better to define β€œallowable failure” now than to explain a hallucination during an incident post-mortem.
  • Pivot from β€œRobot Work” to Agent Shepherding: The traditional L1/L2 analyst role is effectively dead; long live the β€œAgent Supervisor.” Instead of manually sifting through logsβ€Šβ€”β€Šwork that is essentially β€œrobot work” anywayβ€Šβ€”β€Šyour team must be trained to review, grade, and edit AI-generated logic. They are no longer just consumers of alerts; they are the β€œEditors-in-Chief” of the SOC’s intelligence.
  • Rebuild the SOC Org Chart and RACI: Adding AI isn’t a β€œplug and play” software update; it’s an organizational redesign. You need to redefine roles: Detection Engineers become AI Logic Editors, and analysts become Supervisors. Most importantly, your RACI must clearly answer the uncomfortable question: If the AI misses a breach, is the accountability with the person who trained the model or the person who supervised theΒ output?

Where you arrive: well, you arrive at a practical realization that you have β€œAI in SOC” (and not AI SOC). The tools augment people (and in some cases, do the work end to end too). No pro- (β€œAI SOC means all humans can go home”) or contra-AI (β€œit makes mistakes and this means we cannot use it”) craziesΒ nearby.

#4 Modern SOC Technology Stack

Reminder: pillar #4 is β€œModern SOC Technology Stack.” If your tools lack APIs, take them and go back to the 1990s from whence you came! Destroy your time machine when you arrive, don’t come back toΒ 2026!

Readiness check: The security stack is modern, fast (β€œno multi-hour data queries”) interoperable and supports new AI capabilities to integrate seamlessly, tools can communicate without a human acting as a manual bridge and can handle agentic AI requestΒ volumes.

Steps to getΒ ready:

  • Mandate β€œDetection-as-Code” (DaC): This is no longer optional. To make your stack machine-readable, you must implement version control (Git), CI/CD pipelines, and automated testing for all detections. If your detection logic isn’t codified, your AI agent has nothing to interact with except a brittle GUIβ€Šβ€”β€Šand that is a recipe forΒ failure.
  • Find Your β€œInteroperability Ceiling” via Stress Testing: Before you go live, simulate reality. Have an agent attempt to enrich 50 alerts simultaneously to see where the pipes burst. Does your SOAR tool hit a rate limit? Does your threat intel provider cut you off? You need to find the breaking point of your tech stack’s interoperability before an actual incident does it forΒ you.
  • Decouple β€œNative” from β€œCustom” Agents: Don’t reinvent the wheel, but don’t expect a vendor’s β€œnative” agent to understand your weird, proprietary legacy systems. Define a clear strategy: use native agents for standard tool-specific tasks, and reserve your engineering resources for custom agents designed to navigate your unique compliance requirements and internal β€œsecretΒ sauce.”

Where you arrive: this sounds like a perfect quote from Captain Obvious but you arrive at the SOC powered by tools that work with automation, and not with β€œhuman bridge” or β€œswivelΒ chair.”

#5 SOC Metrics and FeedbackΒ Loop

Reminder: pillar #5 is β€œYou are ready for AI if you can, after adding AI, answer the β€œwhat got better?” question. You need metrics and a feedback loop to getΒ better.”

Readiness check: Hard baseline metrics (MTTR, MTTD, false positive rates) are established before AI deployment, and the team has a way to quantify the value and improvements resulting from AI. When things get better, you will knowΒ it.

Steps to getΒ ready:

  • Establish the β€œBefore” Baseline and Fix the Data Slop: You cannot claim victory if you don’t know where the goalposts were to begin with. Measure your current MTTR and MTTD rigorously before the first agent is deployed. Simultaneously, force your analysts to stop treating case notes like a private diary. Standardize on structured data entryβ€Šβ€”β€Šcategorized root causes and MITRE tagsβ€Šβ€”β€Šso the machine has β€œclean fuel” to learn from rather than a collection of β€œfixed it” or β€œclosed” comments.
  • Build an β€œAI Gym” Using Your β€œGolden Set”: Do not throw your agents into the deep end of live production traffic on day one. Curate a β€œGolden Set” of your 50–100 most exemplary past incidentsβ€Šβ€”β€Šthe ones with flawless notes, clean data, and correct conclusions. This serves as your benchmark; if the AI can’t solve these β€œsolved” problems correctly, it has no business touching your live environment.
  • Adopt Agent-Specific KPIs for Performance Management: Traditional SOC metrics like β€œnumber of alerts closed” are insufficient for an AI-augmented team. You need to track Agent Accuracy Rate, Agent Time Savings, and Agent Uptime as religiously as you track patch latency. If your agent is hallucinating 5% of its summaries, that needs to be a visible red flag on your dashboard, not a surprise you discover during an incident post-mortem.
  • Close the Loop with Continuous Tuning: Ensure triage results aren’t just filed away to die in an archive. Establish a feedback loop where the results of both human and AI investigations are automatically routed back to tune the underlying detection rules. This transforms your SOC from a static β€œfilter” into a learning system that evolves with everyΒ alert.

Where you arrive: you have a fact-based visual that shows your SOC becoming better in ways important to your mission after you add AI (in fact, you SOC will get better even before AI but after you do the prep-work from this document)

As a result, we can hopefully get to thisΒ instead:

Better introduction of AI intoΒ SOC

The path to an AI-ready SOC isn’t paved with new tools; it’s paved with better data, cleaner processes, and a fundamental shift in how we think about human-machine collaboration. If you ignore these pillars, your AI journey will be a series of expensive lessons in why β€œmagic” isn’t a strategy.

But if you get these right? You move from a SOC that is constantly drowning in alerts to a SOC that operates truly 10X effectiveness.

Random cool visual because Nano BananaΒ :)

P.S. Anton, you said β€œ10X”, so how does this relate to ASO and β€œengineering-led” D&R? I am glad you asked. The five pillars we outlined are not just steps for AI; they are the also steps on the road to ASO (see original 2021 paper which is still β€œthe future” forΒ many).

ASO is the vision for a 10X transformation of the SOC, driven by an adaptive, agile, and highly automated approach to threats. The focus on codified, machine-intelligible workflows, a modern stack supporting Detection-as-Code, and reskilling analysts as β€œAgent Supervisors” directly supports the core of engineering-led D&R. So focusing on these five readiness dimensions, you move from a traditional operations room (lots of β€œO” for operations) to a scalable, engineering-centric D&R function (where β€œE” for engineering dominates).

So, which pillar is your SOC’s current β€˜weakest link’? Let’s discuss in the comments and onΒ socials!

Related blogs and podcasts:


Beyond β€œIs Your SOC AI Ready?” Plan the Journey! was originally published in Anton on Security on Medium, where people are continuing the conversation by highlighting and responding to this story.

Drones to Diplomas: How Russia’s Largest Private University is Linked to a $25M Essay Mill

6 December 2025 at 15:45

A sprawling academic cheating network turbocharged by Google Ads that has generated nearly $25 million in revenue has curious ties to a Kremlin-connected oligarch whose Russian university builds drones for Russia’s war against Ukraine.

The Nerdify homepage.

The link between essay mills and Russian attack drones might seem improbable, but understanding it begins with a simple question: How does a human-intensive academic cheating service stay relevant in an era when students can simply ask AI to write their term papers? The answer – recasting the business as an AI company – is just the latest chapter in a story of many rebrands that link the operation to Russia’s largest private university.

Search in Google for any terms related to academic cheating services β€” e.g., β€œhelp with exam online” or β€œterm paper online” β€” and you’re likely to encounter websites with the words β€œnerd” or β€œgeek” in them, such as thenerdify[.]com and geekly-hub[.]com. With a simple request sent via text message, you can hire their tutors to help with any assignment.

These nerdy and geeky-branded websites frequently cite their β€œhonor code,” which emphasizes they do not condone academic cheating, will not write your term papers for you, and will only offer support and advice for customers. But according to This Isn’t Fine, a Substack blog about contract cheating and essay mills, the Nerdify brand of websites will happily ignore that mantra.

β€œWe tested the quick SMS for a price quote,” wrote This Isn’t Fine author Joseph Thibault. β€œThe honor code references and platitudes apparently stop at the website. Within three minutes, we confirmed that a full three-page, plagiarism- and AI-free MLA formatted Argumentative essay could be ours for the low price of $141.”

A screenshot from Joseph Thibault’s Substack post shows him purchasing a 3-page paper with the Nerdify service.

Google prohibits ads that β€œenable dishonest behavior.” Yet, a sprawling global essay and homework cheating network run under the Nerdy brands has quietly bought its way to the top of Google searches – booking revenues of almost $25 million through a maze of companies in Cyprus, Malta and Hong Kong, while pitching β€œtutoring” that delivers finished work that students can turn in.

When one Nerdy-related Google Ads account got shut down, the group behind the company would form a new entity with a front-person (typically a young Ukrainian woman), start a new ads account along with a new website and domain name (usually with β€œnerdy” in the brand), and resume running Google ads for the same set of keywords.

UK companies belonging to the group that have been shut down by Google Ads since Jan 2025 include:

–Proglobal Solutions LTD (advertised nerdifyit[.]com);
–AW Tech Limited (advertised thenerdify[.]com);
–Geekly Solutions Ltd (advertised geekly-hub[.]com).

Currently active Google Ads accounts for the Nerdify brands include:

-OK Marketing LTD (advertising geekly-hub[.]net⁩), formed in the name of Olha Karpenko, a young Ukrainian woman;
–Two Sigma Solutions LTD (advertising litero[.]ai), formed in the name of Olekszij (Alexey) Pokatilo.

Google’s Ads Transparency page for current Nerdify advertiser OK Marketing LTD.

Mr. Pokatilo has been in the essay-writing business since at least 2009, operating a paper-mill enterprise called Livingston Research alongside Alexander Korsukov, who is listed as an owner. According to a lengthy account from a former employee, Livingston Research mainly farmed its writing tasks out to low-cost workers from Kenya, Philippines, Pakistan, Russia and Ukraine.

Pokatilo moved from Ukraine to the United Kingdom in Sept. 2015 and co-founded a company called Awesome Technologies, which pitched itself as a way for people to outsource tasks by sending a text message to the service’s assistants.

The other co-founder of Awesome Technologies is 36-year-old Filip Perkon, a Swedish man living in London who touts himself as a serial entrepreneur and investor. Years before starting Awesome together, Perkon and Pokatilo co-founded a student group called Russian Business Week while the two were classmates at the London School of Economics. According to the Bulgarian investigative journalist Christo Grozev, Perkon’s birth certificate was issued by the Soviet Embassy in Sweden.

Alexey Pokatilo (left) and Filip Perkon at a Facebook event for startups in San Francisco in mid-2015.

Around the time Perkon and Pokatilo launched Awesome Technologies, Perkon was building a social media propaganda tool called the Russian Diplomatic Online Club, which Perkon said would β€œturbo-charge” Russian messaging online. The club’s newsletter urged subscribers to install in their Twitter accounts a third-party app called Tweetsquad that would retweet Kremlin messaging on the social media platform.

Perkon was praised by the Russian Embassy in London for his efforts: During the contentious Brexit vote that ultimately led to the United Kingdom leaving the European Union, the Russian embassy in London used this spam tweeting tool to auto-retweet the Russian ambassador’s posts from supporters’ accounts.

Neither Mr. Perkon nor Mr. Pokatilo replied to requests for comment.

A review of corporations tied to Mr. Perkon as indexed by the business research service North Data finds he holds or held director positions in several U.K. subsidiaries of Synergy University, Russia’s largest private education provider. Synergy has more than 35,000 students, and sells T-shirts with patriotic slogans such as β€œCrimea is Ours,” and β€œThe Russian Empire β€” Reloaded.”

The president of Synergy University is Vadim Lobov, a Kremlin insider whose headquarters on the outskirts of Moscow reportedly features a wall-sized portrait of Russian President Vladimir Putin in the pop-art style of Andy Warhol. For a number of years, Lobov and Perkon co-produced a cross-cultural event in the U.K. called Russian Film Week.

Synergy President Vadim Lobov and Filip Perkon, speaking at a press conference for Russian Film Week, a cross-cultural event in the U.K. co-produced by both men.

Mr. Lobov was one of 11 individuals reportedly hand-picked by the convicted Russian spy Marina Butina to attend the 2017 National Prayer Breakfast held in Washington D.C. just two weeks after President Trump’s first inauguration.

While Synergy University promotes itself as Russia’s largest private educational institution, hundreds of international students tell a different story. Online reviews from students paint a picture of unkept promises: Prospective students from Nigeria, Kenya, Ghana, and other nations paying thousands in advance fees for promised study visas to Russia, only to have their applications denied with no refunds offered.

β€œMy experience with Synergy University has been nothing short of heartbreaking,” reads one such account. β€œWhen I first discovered the school, their representative was extremely responsive and eager to assist. He communicated frequently and made me believe I was in safe hands. However, after paying my hard-earned tuition fees, my visa was denied. It’s been over 9 months since that denial, and despite their promises, I have received no refund whatsoever. My messages are now ignored, and the same representative who once replied instantly no longer responds at all. Synergy University, how can an institution in Europe feel comfortable exploiting the hopes of Africans who trust you with their life savings? This is not just unethical β€” it’s predatory.”

This pattern repeats across reviews by multilingual students from Pakistan, Nepal, India, and various African nations β€” all describing the same scheme: Attractive online marketing, promises of easy visa approval, upfront payment requirements, and then silence after visa denials.

Reddit discussions in r/Moscow and r/AskARussian are filled with warnings. β€œIt’s a scam, a diploma mill,” writes one user. β€œThey literally sell exams. There was an investigation on Rossiya-1 television showing students paying to pass tests.”

The Nerdify website’s β€œAbout Us” page says the company was co-founded by Pokatilo and an American named Brian Mellor. The latter identity seems to have been fabricated, or at least there is no evidence that a person with this name ever worked at Nerdify.

Rather, it appears that the SMS assistance company co-founded by Messrs. Pokatilo and Perkon (Awesome Technologies) fizzled out shortly after its creation, and that Nerdify soon adopted the process of accepting assignment requests via text message and routing them to freelance writers.

A closer look at an early β€œAbout Us” page for Nerdify in The Wayback Machine suggests that Mr. Perkon was the real co-founder of the company: The photo at the top of the page shows four people wearing Nerdify T-shirts seated around a table on a rooftop deck in San Francisco, and the man facing the camera is Perkon.

Filip Perkon, top right, is pictured wearing a Nerdify T-shirt in an archived copy of the company’s About Us page. Image: archive.org.

Where are they now? Pokatilo is currently running a startup called Litero.Ai, which appears to be an AI-based essay writing service. In July 2025, Mr. Pokatilo received pre-seed funding of $800,000 for Litero from an investment program backed by the venture capital firms AltaIR Capital, Yellow Rocks, Smart Partnership Capital, and I2BF Global Ventures.

Meanwhile, Filip Perkon is busy setting up toy rubber duck stores in Miami and in at least three locations in the United Kingdom. These β€œDuck World” shops market themselves as β€œthe world’s largest duck store.”

This past week, Mr. Lobov was in India with Putin’s entourage on a charm tour with India’s Prime Minister Narendra Modi. Although Synergy is billed as an educational institution, a review of the company’s sprawling corporate footprint (via DNS) shows it also is assisting the Russian government in its war against Ukraine.

Synergy University President Vadim Lobov (right) pictured this week in India next to Natalia Popova, a Russian TV presenter known for her close ties to Putin’s family, particularly Putin’s daughter, who works with Popova at the education and culture-focused Innopraktika Foundation.

The website bpla.synergy[.]bot, for instance, says the company is involved in developing combat drones to aid Russian forces and to evade international sanctions on the supply and re-export of high-tech products.

A screenshot from the website of synergy,bot shows the company is actively engaged in building armed drones for the war in Ukraine.

KrebsOnSecurity would like to thank the anonymous researcher NatInfoSec for their assistance in this investigation.

Update, Dec. 8, 10:06 a.m. ET: Mr. Pokatilo responded to requests for comment after the publication of this story. Pokatilo said he has no relation to Synergy nor to Mr. Lobov, and that his work with Mr. Perkon ended with the dissolution of Awesome Technologies.

β€œI have had no involvement in any of his projects and business activities mentioned in the article and he has no involvement in Litero.ai,” Pokatilo said of Perkon.

Mr. Pokatilo said his new company Litero β€œdoes not provide contract cheating services and is built specifically to improve transparency and academic integrity in the age of universal use of AI by students.”

β€œI am Ukrainian,” he said in an email. β€œMy close friends, colleagues, and some family members continue to live in Ukraine under the ongoing invasion. Any suggestion that I or my company may be connected in any way to Russia’s war efforts is deeply offensive on a personal level and harmful to the reputation of Litero.ai, a company where many team members are Ukrainian.”

Update, Dec. 11, 12:07 p.m. ET: Mr. Perkon responded to requests for comment after the publication of this story. Perkon said the photo of him in a Nerdify T-shirt (see screenshot above) was taken after a startup event in San Francisco, where he volunteered to act as a photo model to help friends with their project.

β€œI have no business or other relations to Nerdify or any other ventures in that space,” Mr. Perkon said in an email response. β€œAs for Vadim Lobov, I worked for Venture Capital arm at Synergy until 2013 as well as his business school project in the UK, that didn’t get off the ground, so the company related to this was made dormant. Then Synergy kindly provided sponsorship for my Russian Film Week event that I created and ran until 2022 in the U.K., an event that became the biggest independent Russian film festival outside of Russia. Since the start of the Ukraine war in 2022 I closed the festival down.”

β€œI have had no business with Vadim Lobov since 2021 (the last film festival) and I don’t keep track of his endeavours,” Perkon continued. β€œAs for Alexey Pokatilo, we are university friends. Our business relationship has ended after the concierge service Awesome Technologies didn’t work out, many years ago.”

SOC Visibility Triad is Now A Quadβ€Šβ€”β€ŠSOC Visibility Quad 2025

4 August 2025 at 23:53

SOC Visibility Triad is Now A Quadβ€Šβ€”β€ŠSOC Visibility QuadΒ 2025

I will be really, really honest with youβ€Šβ€”β€ŠI have been totally β€œwriter-blocked” and so I decided to release it anyway today … given theΒ date.

So abit of history first. So, my β€œSOC visibility triad” was released on August 4, 2015 as a Gartner blog (it then appeared in quite a few papers, and kinda became a thing). It stated that to have good SOC visibility you need to monitor logs (L), endpoint (E) sources and network (N) sources. So, L+E+N was the original triad of 2015. Note that this covers monitoring mechanisms, not domains of security (more on this later; this matters!)

5 years later, in 2020, I revisited the triad, and after some agonizing thinking (shown at the above link), I kept it a triad. Not a quad, not a pentagram, not a freakin’ hex.

So, here in 2025, I am going to agonize much moreΒ .. and then make a call (hint: blog title has a spoiler!)

How do we change myΒ triad?

First, should we …

… Cut Off aΒ Leg?

Let’s look at whether the three original pillars should still be here in 2025. We are, of course, talking about endpoint visibility, network visibility andΒ logs.

(src: Gartner via 2020Β blog)

My 2020 analysis concluded that the triad is still very relevant, but potential for a fourth pillar is emerging. Before we commit to this possibly being a SOC visibility quadβ€Šβ€”β€Šthat is, dangerously close to a quadrantβ€Šβ€”β€Šlet’s check if any of the original pillars need to beΒ removed.

Many organizations have evolved quite a bit since 2015 (duh!). At the same time, there are many organizations where IT processes seemingly have not evolved all that much since the 1990sΒ (oops!).

First, I would venture a guess that, given that EDR business is booming, the endpoint visibility is still key to most security operations teams. A recent debate of Sysmon versus EDR is a reflection of that. Admittedly, EDR-centric SOCs peaked perhaps in 2021, and XDR fortunately died since that time, but endpoints stillΒ matter.

Similarly, while the importance of sniffing the traffic has been slowly decreasing due to encryption and bandwidth growth, cloud native environments and more distributed work, network monitoring (now officially called NDR) is still quite relevant at many companies. You may say that β€œtcpdump was created in 1988” and that β€œ1980s are so over”, but people still sniff. Packets, thatΒ is.

The third pillar of the original triadβ€Šβ€”β€Šlogsβ€Šβ€”β€Šneeds no defense. Log analysis is very much a booming business and the arrival of modern IT infrastructure and practices, cloud DevOps and others have only bolstered the importance of logs (and of course their volume). A small nit appears here: are eBPF traces logs? Let’s defer this question, we don’t need this answer to reassert the dominance of logs for detection and response.

At this point, I consider the original three legs of a triad to be well defended. They are still relevant, even though it is very clear that for true cloud native environments, the role of E (endpoint) and N (network) has decreased in relative terms, while importance of logs increased (logs became more load bearing?Β Yes!)

Second, should we …

Add aΒ Leg?

Now for the additions I’ve had a few recent discussions with people about this, and I’m happy to go through a few candidates.

Add Cloud Visibility?

First, let’s tackle cloud. There are some arguments that cloud represents a new visibility pillar. The arguments in favor include the fact that cloud environments are different and that cloud visibility is critical. However, to me, a strong counterpoint is that cloud visibility In many cases, is provided by endpoint, network, and logs, as well as a few things. We will touch these β€œfew things” in aΒ moment.

YES?

  • Cloud native environments are different, they suppress E andΒ N
  • Cloud visibility is crucialΒ today
  • Addresses unique cloud challenges
  • Cloud context is different, even if E and N pillars are used for visibility
  • CDR is a thing someΒ say

NO?

  • Cloud INCLUDES logs (lots, some say 3X in volume), and also E andΒ N
  • Too much overlap with other pillars (such as E andΒ N)
  • Cloud is a domain, not a mechanism for visibility.
  • CDR is not a thing,Β perhaps

Verdict:

  • NO, not a new pillar, part of triad already (via all otherΒ pillars)

Add Identity Visibility?

The second candidate to be added is, of course, identity. Here we have a much stronger case that identity needs to be added as a pillar. So perhaps we would have an endpoint, network, logs and identity as our model. Let’s review some pros and cons for identity as a visibility pillar.

YES?

  • Identity is key in the cloud; we observe a lot of things via IDP … logs (wait.. we already have a pillar calledΒ β€œlogs”)
  • By making identity a dedicated pillar, organizations can ensure that it receives the attention
  • ITDR is aΒ thing

NO?

  • But identity visibility is in the logs … we already haveΒ logs!
  • Too much overlap with other pillars (such as logs and E asΒ well)
  • Identity is hugely useful and critical, but as context. This post is about activityΒ streams
  • ITDR is kinda a thing, but it is also not aΒ thing

Verdict:

  • Sorry, still a NO, but a weak NO. Identity is critical as context for logs, endpoint data and network telemetry, but it is not (on its own) a visibility mechanism.

Still, I don’t want to say that identity is merely just about logs, because β€œbaby … bathwater.” Some of the emerging ITDR solutions are not simply relying on logs. I don’t think that identity is necessarily a new pillar, but there are strong arguments that perhaps it shouldΒ be…

What do you thinkβ€Šβ€”β€Šshould identity be a new visibility pillar?

Add Application visibility?

Hold on here, Anton, we need moreΒ data!

Here:

(source: XΒ poll)

and

(source: LinkedInΒ poll)

Now let’s tackle the final candidate, the one I considered in 2020 to be the fourth leg of a three legged stool. There is, of course, application visibility, powered by increased popularity of observability data, eBPF, etc. Application visibility is not really covered by endpoint orgs and definitely not by EDR observation. Similarly, application visibility is very hard to deduce from network trafficΒ data.

YES?

  • Application visibility is not covered by E and N wellΒ enough
  • SaaS, cloud applications andβ€Šβ€”β€ŠYES!β€Šβ€”β€ŠAI agents require deep application visibility.
  • This enables deeper insights of the app guts, as well as businessΒ logic

NO?

  • Is it just logs? Is it,Β though?
  • Do organizations have to do application visibility (via ADR or whatever?) Is this a MUST-HAVE … but forΒ 2030?
  • Are many really ready for it in their SOCsΒ today?

Verdict:

  • YES! I think to have a good 2025 SOC you must have the 4th pillar of application visibility.
  • And, yes, many are not ready for it yet, but this isΒ coming…

So, we have a winner. Anton’s SOC visibility QUAD ofΒ 2025

  1. Logs
  2. Endpoint
  3. Network
  4. Application
SOC visibility quad 2025 by AntonΒ Chuvakin

Are you ready? … Ready or not, HERE WEΒ GOOOO!

Related blogs:


SOC Visibility Triad is Now A Quadβ€Šβ€”β€ŠSOC Visibility Quad 2025 was originally published in Anton on Security on Medium, where people are continuing the conversation by highlighting and responding to this story.

Beyond Gates and Alarms: The Scope and Impact of Physical Security Intelligence

Blogs

Blog

Beyond Gates and Alarms: The Scope and Impact of Physical Security Intelligence

Exploring the role of physical security intelligence, which helps governments and commercial enterprises keep people, places, and assets safe

SHARE THIS:
Default Author Image
May 15, 2023

What is Physical Security Intelligence?

When most people think of physical security, they often think about access control measures or physical security systems. These include gates, alarms, surveillance cameras, and security guards. These measures are fundamental to protecting facilities, as well as the people, assets, and infrastructure inside of them. However, these measures fail to address several external factors. These factors include the impact of natural disasters, terrorist attacks, and insider threats on physical security.

Why is Physical Security Intelligence Important?

That is where physical security intelligence comes into play. Physical security intelligence delivers mission-critical insights into real-time situations occurring globally. It empowers governments and commercial enterprises to safeguard, defend, and enhance the security of individuals, locations, and physical assets.

Physical security intelligence is built on external information. This includes social media and other online channels. It provides situational awareness and insights into potential physical security threats in their earliest stages.

Where Physical and Cyber Threat Intelligence Collide

Cyber and physical threats are increasingly related. In fact, most attacks on people, places, and infrastructure involve some degree of online communication. Real-world events are often enabled or bolstered by cyber-related activities. An example is when a threat actor uses an online discussion forum or social media network to plan a physical attack.

Decentralized open-source channels like Telegram have become an increasingly popular medium for both cyber and physical threat actors. These channels have eroded long-standing barriers to entry to the deep and dark web. When that communication takes place in publicly available channels, security teams can use that information to investigate the incident. Ideally, they can be alerted to early warning indicators and prevent it altogether.

Case Study: Physical Security Intelligence

How Flashpoint Helped the Community Security Initiative (NY) Stop a Potential Synagogue Shooting

Read now

The Impact of Open-Source Intelligence (OSINT)

Physical security intelligence reduces information gaps and leads to more proactive physical security. Open-source intelligence is a critical resource for these applications.

OSINT involves gathering and analyzing publicly available information to derive meaningful insights. In recent years, OSINT has become one of the most relied-upon forms of intelligence for the US government. Its abundance and low barrier to entry make OSINT increasingly useful for commercial enterprises as well.

Thanks to the smartphone, open sources like social media often provide the most up-to-the-minute information about breaking events. Tapping into this data gives security and intelligence teams the real-time information necessary for addressing immediate crises and generating timely intelligence. OSINT provides incredible value for both public and private sector teams. This is true as long as they have the tools and capabilities to gather and analyze the abundance of information effectively.

Examples of Physical Security Intelligence Use Cases

How understanding physical risk can enable corporate physical security teams and public sector organizations to address a wide range of challenges.

Global Situational Awareness

Open-source data can improve situational awareness. It does this by providing insight related to geopolitics, public sentiment, technology developments, and on-the-ground activities in areas of interest. This is especially true when that data is enriched with geospatial information. This information includes where the posts originated, or what locations were mentioned within the post contents and metadata.

Crisis Response

Open-source data provides real-time information for events like natural disasters, public health crises, and terrorist attacks. This information helps security teams stay alert to breaking events, assess impacts, and respond appropriately.

Executive Protection and Force ProtectionΒ 

Across the public and private sectors, threats to personnel come from all directions. This ranges from unforeseen travel risks to doxing and reputational risks, such as bad press. Leveraging OSINT is crucial for surfacing this information and reducing blind spots. It is a strategic complement to traditional executive protection methods like bodyguards and security cameras.

Flashpoint Ignite equips physical security teams with real-time access to the most extensive breadth of open-source information available.

Flashpoint Ignite equips physical security teams with real-time access to the most extensive breadth of open-source information available.

Persistent Threat Analysis

Persistent security concerns like terrorism rely on social media and other online channels to spread. OSINT helps physical security and intelligence teams monitor evolving web-based chatter to improve visibility and defend against those threats.

Insider Threats

Social dissent, burnout, and various other factors have dramatically shifted the insider threat landscape. Disgruntled employees may take action against organizations. This could include disclosing confidential data or disrupting business operations. They often discuss these topics online before taking action. Government, healthcare, big tech, and media are especially vulnerable.

Physical Attacks

Social media and discussion websites are often used to share violent intent and plan events. For example, the Capitol Hill insurrection was planned online for weeks prior to the attack. Bad actors tend to be more candid in online settings. This is because their identity is anonymous, and they are engaging with like-minded communities.

Supply Chain Disruptions

Disruptions like natural disasters or geopolitical conflicts can halt or delay the flow of goods along the supply chain. Monitoring open sources for these disruptions can provide early warning indicators. It can also help you assess if your organization will be impacted down the line.

Event Monitoring

It is vital to have the right physical security intelligence protocols in place. This ensures the security of an event and its attendees. Physical security intelligence can augment an organization’s overall security and intelligence operations during an event. This could be a high-profile conference with global attendees or a smaller affair. Physical security intelligence can include pre-event assessments, daily stand-ups, and monitoring and alerting of imminent and potential threats. Protecting a locationβ€”and the people around itβ€”is also essential to strengthening brand reputation

Flashpoint Ignite for Physical Security Teams

Flashpoint’s Physical Security Intelligence (PSI) solution is part of the Ignite platform. It gathers open-source data from a variety of online spaces. These range from mainstream social media, discussion forums, fringe networks, messaging apps, and regional sources from around the world. The solution is fast and intuitive. It allows users to search, filter, monitor, and analyze the data in a customizable dashboard. User-generated alerts ensure that the right team gets notified if new, relevant content is detected. Enrichments like geolocation, language detection, and threat detection provide valuable context to the information discovered.

Request a demo today.

Request a demo today.

Social Engineering in Japan

By: BHIS
2 January 2019 at 16:28

Kelsey Bellew//* It’s an occupational hazard to see vulnerabilities everywhere. When I see a router sitting in plain sight I think, β€œThe default creds are probably printed on the back; […]

The post Social Engineering in Japan appeared first on Black Hills Information Security, Inc..

A Career in Information Security: FAQ (Part 2)

By: BHIS
1 October 2018 at 16:34

Staff// If you missed part one, you can get caught up here:Β www.blackhillsinfosec.com/a-career-in-information-security-faq-part-1/ Let’s jump straight back in to the Q & A! 4)What are some of the college courses that […]

The post A Career in Information Security: FAQ (Part 2) appeared first on Black Hills Information Security, Inc..

A Career in Information Security: FAQ (Part 1)

By: BHIS
27 September 2018 at 20:42

Staff// We recently received an email from someone working on their degree who had some questions for whichever tester we could round up. They were great questions and since we […]

The post A Career in Information Security: FAQ (Part 1) appeared first on Black Hills Information Security, Inc..

PODCAST: Highly Caffeinated InfoSec

Join Beau Bullock and Mike Felch as they talk about ways to learn more, network and wake up your inner hacker. See the full episode hereΒ and look at the slides […]

The post PODCAST: Highly Caffeinated InfoSec appeared first on Black Hills Information Security, Inc..

πŸ’Ύ

What I Wish I Would Have Known

Bre Schumacher// Many of you were probably asked as a young child what you wanted to be when you grew up. Maybe you had an idea of something that sounded […]

The post What I Wish I Would Have Known appeared first on Black Hills Information Security, Inc..

Five Signs Your Organization Is Failing at Security

By: BHIS
18 September 2017 at 17:50

@1iJax aka The Security Viking// Just when you think the drum has been beaten loudly enough for long enough, a quick survey of organizations across the spectrum will find many […]

The post Five Signs Your Organization Is Failing at Security appeared first on Black Hills Information Security, Inc..

❌